samba - Oct 2017 - Samba 4.6.2 member server errors

On Sat, 14 Oct 2017, Rowland Penny via samba wrote:
> On Sat, 14 Oct 2017 05:33:31 -0400 (EDT)
> me at tdiehl.org wrote:
>
>> On Fri, 13 Oct 2017, Rowland Penny via samba wrote:
>>
>>> On Fri, 13 Oct 2017 11:45:43 +0200
>>> "L.P.H. van Belle via samba" <samba at
lists.samba.org> wrote:
>>>
>>>> Hai,
>>>>
>>>> I'll explain a bit.
>>>>
>>>>> There is no keytab on the member servers.
>>>
>>> Oh yes there is ;-)
>>
>> Seems reasonable. :-)
>>
>>> You only need an explicit keytab if something else requires it e.g.
>>> squid, Samba uses a keytab in memory.
>>
>> OK, please educate me, how do I reset it?
>>
>> I tried restarting everything and even re-joining the member server to
>> the domain. No joy. I am obviously missing something.
>>
>>>
>>>> Ok, can you post your smb.conf
>>>> Because without it is a guessing game as of this point.
>>>
>>> It always helps if the smb.conf is posted.
>>
>> I already sent it in reply to Louis's request. If you need it again
>> let me know.
>>
>> Also in case it is useful below is what I have in /etc/krb5.conf:
>>
>> [libdefaults]
>>      default_realm = SAMDOM.MYDOMAIN.COM
>>      dns_lookup_realm = false
>>      dns_lookup_kdc = true
>>
>> The weird thing about all of this is everything is working. Other than
>> the log messages, the only thing not normal is that winbind is
>> constantly running which has the machine's load higher than normal.
>>
>> Regards,
>>
>
> There doesn't seem to be anything wrong with your smb.conf and if
> everything is working okay and all that is worrying you is the log
> messages, change 'log level = 2' to 'log level = 1'. The
messages will
> stop ;-)
Yes I understand, however, there are 2 things I am concerned about.

When the errors are spewing, winbind never goes to sleep and the load on the
server runs somewhere between 6-8 constantly (as shown by top.). Even when
there is no one in the office and hence no files being served I still see the
high load.

When the errors stop (This happens intermittently) winbind will sleep and the
load settles down to < 1.

The other thing that concerns me is that I am wondering if this is an
indication that something more serious is about to break. It is one thing
for me to see things in the background and entirely something else for it
to impact the users. :-)

Suggestions?

Regards,

-- 
Tom			me at tdiehl.org

On Sun, 15 Oct 2017 13:38:13 -0400 (EDT)
me at tdiehl.org wrote:
> Yes I understand, however, there are 2 things I am concerned about.
> 
> When the errors are spewing, winbind never goes to sleep and the load
> on the server runs somewhere between 6-8 constantly (as shown by
> top.). Even when there is no one in the office and hence no files
> being served I still see the high load.
> 
> When the errors stop (This happens intermittently) winbind will sleep
> and the load settles down to < 1.
> 
> The other thing that concerns me is that I am wondering if this is an
> indication that something more serious is about to break. It is one
> thing for me to see things in the background and entirely something
> else for it to impact the users. :-)
> 
> Suggestions?
> 
> Regards,
> 
If nothing is connecting, then winbind shouldn't be doing much, so if
it is, you need to find out why.

Try running 'samba-tool dbcheck' on the DCs
Check replication between the DCs
Check the Samba logs on the DCs, is there anything relevant showing at
the time that winbind is overloading on the domain member
Raise the log levels on the DCs and domain members and see if anything
pops out.

One thing I noticed when I looked it your smb.conf again was this:

realm = SAMDOM.MYDOMAIN.com.COM

I take it this was just a typo when you sanitised it.

If this is only happening on one domain member, try comparing the
various files on one with the other (/etc/hosts, /etc/krb5.conf and so
on).

Rowland

On Sun, 15 Oct 2017, Rowland Penny via samba wrote:
> On Sun, 15 Oct 2017 13:38:13 -0400 (EDT)
> me at tdiehl.org wrote:
>
>> Yes I understand, however, there are 2 things I am concerned about.
>>
>> When the errors are spewing, winbind never goes to sleep and the load
>> on the server runs somewhere between 6-8 constantly (as shown by
>> top.). Even when there is no one in the office and hence no files
>> being served I still see the high load.
>>
>> When the errors stop (This happens intermittently) winbind will sleep
>> and the load settles down to < 1.
>>
>> The other thing that concerns me is that I am wondering if this is an
>> indication that something more serious is about to break. It is one
>> thing for me to see things in the background and entirely something
>> else for it to impact the users. :-)
>>
>> Suggestions?
>>
>> Regards,
>>
>
> If nothing is connecting, then winbind shouldn't be doing much, so if
> it is, you need to find out why.
>
> Try running 'samba-tool dbcheck' on the DCs
dbcheck has the following output:

(vdc2 pts2) # samba-tool dbcheck
Checking 490 objects
NOTE: old (due to rename or delete) DN string component for lastKnownParent in
object CN=User\0ADEL:5f387be0-63de-4486-b22a-bfff6bc2cbcb,CN=Deleted
Objects,DC=samdom,DC=mydomain,DC=com -
<GUID=bf3dbdad-516d-4ebc-beb9-2b9e3a1fa02b>;CN={A492ADAB-B0BE-4038-B6C7-B831D0C77359},CN=Policies,CN=System,DC=samdom,DC=mydomain,DC=com
Not fixing old string component
NOTE: old (due to rename or delete) DN string component for lastKnownParent in
object CN=Machine\0ADEL:bc407cd8-3035-4a40-8171-f91616bd798f,CN=Deleted
Objects,DC=samdom,DC=mydomain,DC=com -
<GUID=bf3dbdad-516d-4ebc-beb9-2b9e3a1fa02b>;CN={A492ADAB-B0BE-4038-B6C7-B831D0C77359},CN=Policies,CN=System,DC=samdom,DC=mydomain,DC=com
Not fixing old string component
NOTE: old (due to rename or delete) DN string component for lastKnownParent in
object CN=User\0ADEL:49f21be1-fe11-44fc-b483-28e06112084e,CN=Deleted
Objects,DC=samdom,DC=mydomain,DC=com -
<GUID=ab72e6be-b24a-4945-808c-1e1a366a1332>;CN={C8B52BEA-44ED-4A17-9B2D-0DAD8858286B},CN=Policies,CN=System,DC=samdom,DC=mydomain,DC=com
Not fixing old string component
NOTE: old (due to rename or delete) DN string component for lastKnownParent in
object CN=Machine\0ADEL:772380e7-e1e5-4614-81c2-ba7a40efa27e,CN=Deleted
Objects,DC=samdom,DC=mydomain,DC=com -
<GUID=ab72e6be-b24a-4945-808c-1e1a366a1332>;CN={C8B52BEA-44ED-4A17-9B2D-0DAD8858286B},CN=Policies,CN=System,DC=samdom,DC=mydomain,DC=com
Not fixing old string component
Checked 490 objects (0 errors)

Both dc's have the same output. The above says 0 errors but I am not sure if
the
above is relevant to this discussion or not.

> Check replication between the DCs
sysvol replication seems to be working. Is there something else I need to check?
> Check the Samba logs on the DCs, is there anything relevant showing at
> the time that winbind is overloading on the domain member
No, but I have not looked with logging turned up.
> Raise the log levels on the DCs and domain members and see if anything
> pops out.
At the moment winbind is quiet. I will turn logging up on the dc's and the
file servers and see what pops up.

What is a good log level for troubleshooting something like this?
>
> One thing I noticed when I looked it your smb.conf again was this:
>
> realm = SAMDOM.MYDOMAIN.com.COM
>
> I take it this was just a typo when you sanitized it.
Yep!! You made me look to be sure though. :-)
> If this is only happening on one domain member, try comparing the
> various files on one with the other (/etc/hosts, /etc/krb5.conf and so
> on).
They are identical modulo things like host names, etc.. I use ansible to manage
them and set variables where appropriate.

Regards,

-- 
Tom			me at tdiehl.org

Hi Rowland,


On Sun, 15 Oct 2017, Rowland Penny via samba wrote:
> On Sun, 15 Oct 2017 13:38:13 -0400 (EDT)
> me at tdiehl.org wrote:
>
>> Yes I understand, however, there are 2 things I am concerned about.
>>
>> When the errors are spewing, winbind never goes to sleep and the load
>> on the server runs somewhere between 6-8 constantly (as shown by
>> top.). Even when there is no one in the office and hence no files
>> being served I still see the high load.
>>
>> When the errors stop (This happens intermittently) winbind will sleep
>> and the load settles down to < 1.
>>
>> The other thing that concerns me is that I am wondering if this is an
>> indication that something more serious is about to break. It is one
>> thing for me to see things in the background and entirely something
>> else for it to impact the users. :-)
>>
>> Suggestions?
>>
>> Regards,
>>
>
> If nothing is connecting, then winbind shouldn't be doing much, so if
> it is, you need to find out why.
>
> Check the Samba logs on the DCs, is there anything relevant showing at
> the time that winbind is overloading on the domain member
> Raise the log levels on the DCs and domain members and see if anything
> pops out.
I ran the logging up to level 10 on the DC's and the file server.
The DC's do not show anything significant, at least not that I can tell.
There is so much info there I might be missing something.

On the file server I see the following at level 10:

[2017/10/16 10:11:21.392833,  6, pid=1440, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd.c:919(new_connection)
   accepted socket 44
[2017/10/16 10:11:21.392850, 10, pid=1440, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd.c:734(process_request)
   process_request: Handling async request 58214:GETPWNAM
[2017/10/16 10:11:21.392857,  3, pid=1440, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
   getpwnam kmg\mb-shop9-17$
[2017/10/16 10:11:21.392868,  1, pid=1440, effective(0, 0), real(0, 0)]
../librpc/ndr/ndr.c:450(ndr_print_function_debug)
        wbint_LookupName: struct wbint_LookupName
           in: struct wbint_LookupName
               domain                   : *
                   domain                   : 'KMG'
               name                     : *
                   name                     : 'MB-SHOP9-17$'
               flags                    : 0x00000008 (8)
[2017/10/16 10:11:21.392899,  1, pid=1440, effective(0, 0), real(0, 0)]
../librpc/ndr/ndr.c:450(ndr_print_function_debug)
        wbint_LookupName: struct wbint_LookupName
           out: struct wbint_LookupName
               type                     : *
                   type                     : SID_NAME_USER (1)
               sid                      : *
                   sid                      :
S-1-5-21-3052942767-4183929206-737583365-1617
               result                   : NT_STATUS_OK
[2017/10/16 10:11:21.392926, 10, pid=1440, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/wb_sids2xids.c:113(wb_sids2xids_send)
   SID 0: S-1-5-21-3052942767-4183929206-737583365-1617
[2017/10/16 10:11:21.392939, 10, pid=1440, effective(0, 0), real(0, 0)]
../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid)
   Parsing value for key
[IDMAP/SID2XID/S-1-5-21-3052942767-4183929206-737583365-1617]: value=[-1:N]
[2017/10/16 10:11:21.392946, 10, pid=1440, effective(0, 0), real(0, 0)]
../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid)
   Parsing value for key
[IDMAP/SID2XID/S-1-5-21-3052942767-4183929206-737583365-1617]: id=[4294967295],
endptr=[:N]
[2017/10/16 10:11:21.392955,  5, pid=1440, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
   Could not convert sid S-1-5-21-3052942767-4183929206-737583365-1617:
NT_STATUS_NO_SUCH_USER
[2017/10/16 10:11:21.392963, 10, pid=1440, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd.c:796(wb_request_done)
   wb_request_done[58214:GETPWNAM]: NT_STATUS_NO_SUCH_USER
[2017/10/16 10:11:21.392982, 10, pid=1440, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd.c:734(process_request)
   process_request: Handling async request 58217:PAM_AUTH_CRAP
[2017/10/16 10:11:21.912764,  5, pid=1440, effective(0, 0), real(0, 0)]
../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.912829,  5, pid=1440, effective(0, 0), real(0, 0)]
../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.912865,  5, pid=1440, effective(0, 0), real(0, 0)]
../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.912935,  5, pid=1440, effective(0, 0), real(0, 0)]
../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.912976,  5, pid=1440, effective(0, 0), real(0, 0)]
../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913011,  5, pid=1440, effective(0, 0), real(0, 0)]
../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913047,  5, pid=1440, effective(0, 0), real(0, 0)]
../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913079,  5, pid=1440, effective(0, 0), real(0, 0)]
../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913124,  2, pid=1440, effective(0, 0), real(0, 0)]
../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
   check_pac_checksum: PAC Verification failed: Decrypt integrity check failed
(-1765328353)
[2017/10/16 10:11:21.913139,  5, pid=1440, effective(0, 0), real(0, 0)]
../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature: Decrypt integrity check
failed
[2017/10/16 10:11:21.913203,  5, pid=1440, effective(0, 0), real(0, 0)]
../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913243,  5, pid=1440, effective(0, 0), real(0, 0)]
../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913281,  5, pid=1440, effective(0, 0), real(0, 0)]
../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913316,  5, pid=1440, effective(0, 0), real(0, 0)]
../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913353,  5, pid=1440, effective(0, 0), real(0, 0)]
../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913392,  5, pid=1440, effective(0, 0), real(0, 0)]
../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913431,  5, pid=1440, effective(0, 0), real(0, 0)]
../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913475,  3, pid=1440, effective(0, 0), real(0, 0)]
../auth/kerberos/kerberos_pac.c:409(kerberos_decode_pac)
   Found account name from PAC: MB-RECEPTION-17$ []

I do not know if it is important or not but these machines were just joined
to the domain within the last week or so.

I see many of these for different machines.

Please let me know what you think.

Regards,


-- 
Tom			me at tdiehl.org

Hi Tom, 

Small update. 

I'am also still looking into this but im not getting much futher..  
I am just reading :
https://blogs.msdn.microsoft.com/openspecification/2009/12/31/verifying-the-server-signature-in-kerberos-privilege-account-certificate/
Bit older but, im trying to understand more what happens here. 

And the only "guess" i can make here is . 
A kerberos ticket, with the wrong encryption type tried to validate. 
Base on that, but again, this is what i would try. 

For all servers in krb5.conf.  (* do you have any xp/w2003 or older in you lan ?
)
; for Windows 2008 with AES
;    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
;    default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
;    permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5

Or at least make sure they are the same. 
Run net cache flush on all server and reboot them. 

Of a wrong verifcation is somewhere in cache or memory, then this could help. 

Now, 
> I do not know if it is important or not but these machines 
> were just joined to the domain within the last week or so.
Yes, very important, because .. Whats the default time for a kerberos ticket. 
The default value for a TGT (also referred to as a user ticket) is 7 days, ...

And a computer is a user..  
So we are imo getting in the right direction. 

.... Still reading things here

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Tom 
> Diehl via samba
> Verzonden: maandag 16 oktober 2017 16:41
> Aan: Rowland Penny
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba 4.6.2 member server errors
> 
> Hi Rowland,
> 
> 
> On Sun, 15 Oct 2017, Rowland Penny via samba wrote:
> 
> > On Sun, 15 Oct 2017 13:38:13 -0400 (EDT)
> > me at tdiehl.org wrote:
> >
> >> Yes I understand, however, there are 2 things I am concerned
about.
> >>
> >> When the errors are spewing, winbind never goes to sleep 
> and the load
> >> on the server runs somewhere between 6-8 constantly (as shown by
> >> top.). Even when there is no one in the office and hence no files
> >> being served I still see the high load.
> >>
> >> When the errors stop (This happens intermittently) winbind 
> will sleep
> >> and the load settles down to < 1.
> >>
> >> The other thing that concerns me is that I am wondering if 
> this is an
> >> indication that something more serious is about to break. It is
one
> >> thing for me to see things in the background and entirely
something
> >> else for it to impact the users. :-)
> >>
> >> Suggestions?
> >>
> >> Regards,
> >>
> >
> > If nothing is connecting, then winbind shouldn't be doing 
> much, so if
> > it is, you need to find out why.
> >
> > Check the Samba logs on the DCs, is there anything relevant 
> showing at
> > the time that winbind is overloading on the domain member
> > Raise the log levels on the DCs and domain members and see 
> if anything
> > pops out.
> 
> I ran the logging up to level 10 on the DC's and the file server.
> The DC's do not show anything significant, at least not that 
> I can tell.
> There is so much info there I might be missing something.
> 
> On the file server I see the following at level 10:
> 
> [2017/10/16 10:11:21.392833,  6, pid=1440, effective(0, 0), 
> real(0, 0), class=winbind] 
> ../source3/winbindd/winbindd.c:919(new_connection)
>    accepted socket 44
> [2017/10/16 10:11:21.392850, 10, pid=1440, effective(0, 0), 
> real(0, 0), class=winbind] 
> ../source3/winbindd/winbindd.c:734(process_request)
>    process_request: Handling async request 58214:GETPWNAM
> [2017/10/16 10:11:21.392857,  3, pid=1440, effective(0, 0), 
> real(0, 0), class=winbind] 
> ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
>    getpwnam kmg\mb-shop9-17$
> [2017/10/16 10:11:21.392868,  1, pid=1440, effective(0, 0), 
> real(0, 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
>         wbint_LookupName: struct wbint_LookupName
>            in: struct wbint_LookupName
>                domain                   : *
>                    domain                   : 'KMG'
>                name                     : *
>                    name                     : 'MB-SHOP9-17$'
>                flags                    : 0x00000008 (8)
> [2017/10/16 10:11:21.392899,  1, pid=1440, effective(0, 0), 
> real(0, 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
>         wbint_LookupName: struct wbint_LookupName
>            out: struct wbint_LookupName
>                type                     : *
>                    type                     : SID_NAME_USER (1)
>                sid                      : *
>                    sid                      : 
> S-1-5-21-3052942767-4183929206-737583365-1617
>                result                   : NT_STATUS_OK
> [2017/10/16 10:11:21.392926, 10, pid=1440, effective(0, 0), 
> real(0, 0), class=winbind] 
> ../source3/winbindd/wb_sids2xids.c:113(wb_sids2xids_send)
>    SID 0: S-1-5-21-3052942767-4183929206-737583365-1617
> [2017/10/16 10:11:21.392939, 10, pid=1440, effective(0, 0), 
> real(0, 0)] 
> ../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid)
>    Parsing value for key 
> [IDMAP/SID2XID/S-1-5-21-3052942767-4183929206-737583365-1617]:
>  value=[-1:N]
> [2017/10/16 10:11:21.392946, 10, pid=1440, effective(0, 0), 
> real(0, 0)] 
> ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid)
>    Parsing value for key 
> [IDMAP/SID2XID/S-1-5-21-3052942767-4183929206-737583365-1617]:
>  id=[4294967295], endptr=[:N]
> [2017/10/16 10:11:21.392955,  5, pid=1440, effective(0, 0), 
> real(0, 0), class=winbind] 
> ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
>    Could not convert sid 
> S-1-5-21-3052942767-4183929206-737583365-1617: NT_STATUS_NO_SUCH_USER
> [2017/10/16 10:11:21.392963, 10, pid=1440, effective(0, 0), 
> real(0, 0), class=winbind] 
> ../source3/winbindd/winbindd.c:796(wb_request_done)
>    wb_request_done[58214:GETPWNAM]: NT_STATUS_NO_SUCH_USER
> [2017/10/16 10:11:21.392982, 10, pid=1440, effective(0, 0), 
> real(0, 0), class=winbind] 
> ../source3/winbindd/winbindd.c:734(process_request)
>    process_request: Handling async request 58217:PAM_AUTH_CRAP
> [2017/10/16 10:11:21.912764,  5, pid=1440, effective(0, 0), 
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature: 
> Invalid argument
> [2017/10/16 10:11:21.912829,  5, pid=1440, effective(0, 0), 
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature: 
> Invalid argument
> [2017/10/16 10:11:21.912865,  5, pid=1440, effective(0, 0), 
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature: 
> Invalid argument
> [2017/10/16 10:11:21.912935,  5, pid=1440, effective(0, 0), 
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature: 
> Invalid argument
> [2017/10/16 10:11:21.912976,  5, pid=1440, effective(0, 0), 
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature: 
> Invalid argument
> [2017/10/16 10:11:21.913011,  5, pid=1440, effective(0, 0), 
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature: 
> Invalid argument
> [2017/10/16 10:11:21.913047,  5, pid=1440, effective(0, 0), 
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature: 
> Invalid argument
> [2017/10/16 10:11:21.913079,  5, pid=1440, effective(0, 0), 
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature: 
> Invalid argument
> [2017/10/16 10:11:21.913124,  2, pid=1440, effective(0, 0), 
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
>    check_pac_checksum: PAC Verification failed: Decrypt 
> integrity check failed (-1765328353)
> [2017/10/16 10:11:21.913139,  5, pid=1440, effective(0, 0), 
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature: 
> Decrypt integrity check failed
> [2017/10/16 10:11:21.913203,  5, pid=1440, effective(0, 0), 
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature: 
> Invalid argument
> [2017/10/16 10:11:21.913243,  5, pid=1440, effective(0, 0), 
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature: 
> Invalid argument
> [2017/10/16 10:11:21.913281,  5, pid=1440, effective(0, 0), 
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature: 
> Invalid argument
> [2017/10/16 10:11:21.913316,  5, pid=1440, effective(0, 0), 
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature: 
> Invalid argument
> [2017/10/16 10:11:21.913353,  5, pid=1440, effective(0, 0), 
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature: 
> Invalid argument
> [2017/10/16 10:11:21.913392,  5, pid=1440, effective(0, 0), 
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature: 
> Invalid argument
> [2017/10/16 10:11:21.913431,  5, pid=1440, effective(0, 0), 
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature: 
> Invalid argument
> [2017/10/16 10:11:21.913475,  3, pid=1440, effective(0, 0), 
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:409(kerberos_decode_pac)
>    Found account name from PAC: MB-RECEPTION-17$ []
> 
> I do not know if it is important or not but these machines 
> were just joined
> to the domain within the last week or so.
> 
> I see many of these for different machines.
> 
> Please let me know what you think.
> 
> Regards,
> 
> 
> -- 
> Tom			me at tdiehl.org
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>